SSL/TLS and Universal SSL

Learning Focus

By the end of this lesson you will understand Cloudflare's four SSL/TLS encryption modes, how Universal SSL works, and how to configure end-to-end encryption between visitors and your origin server.

What Is Universal SSL?

Universal SSL is a free SSL certificate that Cloudflare automatically issues for every domain on its platform. The moment you add your domain and proxy traffic through Cloudflare, your site gets HTTPS — no configuration, no certificate management, no cost.

Cloudflare issues certificates through Google Trust Services and Let's Encrypt as certificate authorities.

What Universal SSL Covers

Coverage	Details
Root domain	example.com ✅
First-level subdomains	www.example.com, api.example.com ✅
Multi-level subdomains	app.staging.example.com ❌ (requires Advanced Certificate Manager — paid)
Certificate type	DV (Domain Validated)
Renewal	Automatic — Cloudflare renews before expiration
Cost	Free

SSL/TLS Encryption Modes

This is the most critical configuration in Cloudflare SSL. The encryption mode controls how traffic is encrypted between three points: the visitor, Cloudflare's edge, and your origin server.

flowchart LR
    V["Visitor"] -->|Connection 1| CF["Cloudflare Edge"]
    CF -->|Connection 2| O["Origin Server"]

    style CF fill:#f6821f,color:#fff,stroke:#e5711e

The Four Modes

1. Off (Not Recommended)

Visitor ---[HTTP]--→ Cloudflare ---[HTTP]--→ Origin

No encryption at all. All traffic is in plain text. Never use this.

2. Flexible

Visitor ---[HTTPS]--→ Cloudflare ---[HTTP]--→ Origin

The visitor sees HTTPS (green padlock), but Cloudflare connects to your origin over plain HTTP. This means traffic between Cloudflare and your server is unencrypted.

When Flexible Is Dangerous

Flexible mode gives visitors a false sense of security. Data between Cloudflare and your origin is unencrypted — vulnerable to interception if the network path is untrusted. Use Flexible only if your origin cannot support HTTPS at all (e.g., some shared hosting providers).

3. Full

Visitor ---[HTTPS]--→ Cloudflare ---[HTTPS]--→ Origin

Both connections are encrypted. However, Cloudflare does not validate the origin's certificate. A self-signed or expired certificate on the origin is accepted.

4. Full (Strict) — Recommended

Visitor ---[HTTPS]--→ Cloudflare ---[HTTPS (validated)]--→ Origin

Both connections are encrypted, and Cloudflare validates the origin's certificate. The certificate must be:

• Issued by a trusted CA (e.g., Let's Encrypt), or
• A Cloudflare Origin CA certificate

Mode Comparison

Mode	Visitor ↔ Edge	Edge ↔ Origin	Origin Cert Validated?	Security Level
Off	❌ HTTP	❌ HTTP	N/A	None
Flexible	✅ HTTPS	❌ HTTP	N/A	Low
Full	✅ HTTPS	✅ HTTPS	❌ No	Medium
Full (Strict)	✅ HTTPS	✅ HTTPS	✅ Yes	High

Best Practice

Always use Full (Strict). It provides true end-to-end encryption with certificate validation. Use Cloudflare Origin CA certificates (free) if your origin doesn't have a certificate.

Cloudflare Origin CA Certificates

If your origin server doesn't have a certificate from a public CA, Cloudflare provides free Origin CA certificates — valid for up to 15 years, trusted only by Cloudflare's edge servers.

Generating an Origin CA Certificate

1. Go to SSL/TLS → Origin Server in the Cloudflare dashboard
2. Click "Create Certificate"
3. Choose:
   • Key type: RSA (2048) or ECDSA
   • Hostnames: example.com, *.example.com
   • Validity: 15 years (default)
4. Download the certificate and private key

Installing on Nginx

/etc/nginx/sites-available/example.com

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate     /etc/ssl/cloudflare/origin.pem;
    ssl_certificate_key /etc/ssl/cloudflare/origin-key.pem;

    # Restrict to Cloudflare IPs only (recommended)
    # https://www.cloudflare.com/ips/
    allow 173.245.48.0/20;
    allow 103.21.244.0/22;
    allow 103.22.200.0/22;
    allow 103.31.4.0/22;
    allow 141.101.64.0/18;
    allow 108.162.192.0/18;
    allow 190.93.240.0/20;
    allow 188.114.96.0/20;
    allow 197.234.240.0/22;
    allow 198.41.128.0/17;
    allow 162.158.0.0/15;
    allow 104.16.0.0/13;
    allow 104.24.0.0/14;
    allow 172.64.0.0/13;
    allow 131.0.72.0/22;
    deny all;

    location / {
        proxy_pass http://localhost:3000;
    }
}

tip

Cloudflare Origin CA certificates are only trusted by Cloudflare's edge. If you bypass Cloudflare (e.g., connect directly to the origin), browsers will show a certificate warning. This is by design — it ensures traffic must flow through Cloudflare.

Always Use HTTPS

Cloudflare can automatically redirect all HTTP requests to HTTPS:

1. Go to SSL/TLS → Edge Certificates
2. Enable "Always Use HTTPS"

This adds a 301 redirect from http:// to https:// for all requests.

Alternatively, you can enable Automatic HTTPS Rewrites to fix mixed content issues by rewriting http:// URLs in your page to https://.

HSTS (HTTP Strict Transport Security)

HSTS tells browsers to always use HTTPS for your domain, even if the user types http://. This prevents downgrade attacks.

Enabling HSTS

1. Go to SSL/TLS → Edge Certificates → HTTP Strict Transport Security (HSTS)
2. Enable and configure:

Setting	Recommended Value	Description
Max-Age	31536000 (1 year)	How long browsers remember to use HTTPS
Include subdomains	Yes	Apply HSTS to all subdomains
Preload	Yes (optional)	Submit to browser HSTS preload lists
No-Sniff	Yes	Prevent MIME-type sniffing

warning

Once HSTS is enabled with a long max-age, you cannot easily go back to HTTP. Make sure your site works fully on HTTPS before enabling.

Minimum TLS Version

Control the minimum TLS version clients must support:

TLS Version	Recommendation	Notes
TLS 1.0	❌ Deprecated	Vulnerable, disabled by most browsers
TLS 1.1	❌ Deprecated	Also being phased out
TLS 1.2	✅ Recommended minimum	Widely supported, secure
TLS 1.3	✅ Best	Fastest handshake, most secure

Set this at SSL/TLS → Edge Certificates → Minimum TLS Version.

Cloudflare supports TLS 1.3 by default, and you should set the minimum to TLS 1.2 to drop support for deprecated versions.

Common Misconceptions

"Flexible SSL is secure because visitors see the padlock"

Reality: Flexible only encrypts the visitor-to-Cloudflare connection. Traffic between Cloudflare and your origin is plain HTTP. An attacker on the origin's network can intercept everything. Always use Full (Strict).

"I need to buy an SSL certificate to use Cloudflare"

Reality: Cloudflare provides free certificates on both sides — Universal SSL for visitors, and Origin CA for the origin connection. You never need to purchase a certificate.

"Universal SSL covers deep subdomains like a.b.example.com"

Reality: Universal SSL only covers the root domain and first-level subdomains (*.example.com). For multi-level subdomains, you need Advanced Certificate Manager (paid).

Anti-Patterns to Avoid

Don't Do This	Do This Instead
Use "Flexible" mode permanently	Use Full (Strict) with an Origin CA certificate
Forget to enable HTTPS redirect	Enable "Always Use HTTPS"
Allow TLS 1.0/1.1	Set minimum TLS version to 1.2
Expose your origin IP publicly	Restrict origin to Cloudflare IPs and use proxy mode
Ignore mixed content warnings	Enable Automatic HTTPS Rewrites

Key Takeaways

• Universal SSL is free and automatic — every proxied domain gets HTTPS instantly.
• Always use Full (Strict) mode for true end-to-end encryption.
• Use Cloudflare Origin CA certificates — they're free and valid for 15 years.
• Enable Always Use HTTPS and HSTS to prevent downgrade attacks.
• Set minimum TLS version to 1.2 and keep TLS 1.3 enabled.

What's Next

• Continue to Post-Quantum Cryptography to learn about Cloudflare's quantum-resistant encryption.